Page MenuHomePhabricator

xcombelle (Xavier Combelle)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Oct 16 2014, 7:26 PM (260 w, 3 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Xavier Combelle [ Global Accounts ]

Recent Activity

Mar 23 2019

xcombelle added a comment to T216664: MWException when viewing or comparing certain pages with Preprocessor_DOM (PHP7 beta feature).
  1. could the error replaced by a clear error which says what really happens on PHP 7 ?
  2. apparently the max count of nodes is broken on the current setup of mediawiki. Maybe it is not that useful ? Once the count is write, Probably it can't be fully removed, but can it be increase that it don't create problems.
Mar 23 2019, 10:35 AM · MediaWiki-Page-History, Core Platform Team Workboards (Done with CPT), serviceops, Core Platform Team (Needs Cleaning - Security, stability, performance, and scalability (TEC1)), PHP 7.2 support, MediaWiki-Page-Diffs, MediaWiki-Parser, Wikimedia-production-error

Mar 17 2019

xcombelle added a comment to T218517: Page creation log show only recents entries.

Sorry for the disturbance, I remembered wrongly to see such entry older than 2018. I must have confuse with creation of users. One can close the ticket from my point of view.

Mar 17 2019, 6:08 PM · MediaWiki-Logging, MediaWiki-Special-pages
xcombelle updated the task description for T218517: Page creation log show only recents entries.
Mar 17 2019, 5:29 PM · MediaWiki-Logging, MediaWiki-Special-pages
xcombelle created T218517: Page creation log show only recents entries.
Mar 17 2019, 5:28 PM · MediaWiki-Logging, MediaWiki-Special-pages

Feb 20 2019

xcombelle created T216664: MWException when viewing or comparing certain pages with Preprocessor_DOM (PHP7 beta feature).
Feb 20 2019, 11:24 PM · MediaWiki-Page-History, Core Platform Team Workboards (Done with CPT), serviceops, Core Platform Team (Needs Cleaning - Security, stability, performance, and scalability (TEC1)), PHP 7.2 support, MediaWiki-Page-Diffs, MediaWiki-Parser, Wikimedia-production-error

Feb 8 2019

Krinkle awarded T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user a Orange Medal token.
Feb 8 2019, 7:05 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Jan 31 2017

xcombelle updated the task description for T156803: Handle blocked users consistently.
Jan 31 2017, 3:12 PM · User-notice, MW-1.29-release (WMF-deploy-2017-02-21_(1.29.0-wmf.13)), Patch-For-Review, MediaWiki-extensions-OAuth

Jan 16 2017

xcombelle added a comment to T59154: Flow: Prettify thread permalink URLs/Titles (they are not human readable!).

What is the rational behind using UUID ? some kind of counter could not work ?

Jan 16 2017, 2:48 AM · Growth-Team, Patch-For-Review, Collaboration-Team-Triage, StructuredDiscussions

Jan 10 2017

xcombelle added a comment to T110353: Audit use of cookies.

as T151770 shows the heavy use of cookies lead to randoms bugs with intensive user of wikimedia websites on lastest default versions of firefox. I hope so that enough workforce is put in. I'm afraid it is not the case as this bug depend on T19108 which is not taken by anybody

Jan 10 2017, 6:29 AM · Performance-Team, Epic, Sysadmin-notice, Wikimedia-General-or-Unknown

Jan 6 2017

xcombelle added a comment to T124776: ref name with non ascii characters and no quote is incorrectly parsed.

It looks like it was a transient issue and was fixed since,

Jan 6 2017, 12:20 AM · MediaWiki-Parser

Oct 31 2016

xcombelle added a comment to T59739: all-titles file doesn't include namespace prefix.

thanks a lot

Oct 31 2016, 11:46 AM · Patch-For-Review, Dumps-Generation

Oct 20 2016

xcombelle created T148787: add an about page in discenatron.
Oct 20 2016, 8:11 PM · Discovery
xcombelle created T148786: Impossible to really guess what the user looked for in Discenatron.
Oct 20 2016, 8:06 PM · Discovery
xcombelle created T148784: full introduction in results of discenatron.
Oct 20 2016, 7:56 PM · Discovery

Sep 13 2016

xcombelle added a comment to T145279: Interwiki links to articles in other projects from Commons categories via Wikidata.

@Josve05a If I understand well, it is just a matter of wikidata policy, if Category would be treated as a valid interwiki for commons, it is not a technical issue (I mean there is no need of new development). So it would be relevant discussion on wikidata, but not here. (Anyway, before a development, a consensus on political issue must be reached first)

Sep 13 2016, 6:08 AM · SDC General, MediaWiki-Interwiki, MediaWiki-Categories, Commons, Wikidata

Sep 11 2016

xcombelle added a comment to T145279: Interwiki links to articles in other projects from Commons categories via Wikidata.

@Acer: what is your "reasonable, valid, correct, ethic reasons to do so" ? Making your purpose less clear make not more reasonable, valid, correct an ethic.

Sep 11 2016, 6:11 PM · SDC General, MediaWiki-Interwiki, MediaWiki-Categories, Commons, Wikidata

Aug 21 2016

xcombelle committed rLTWCFRTXVI8dec7e7b7ad5: init readme (authored by xcombelle).
init readme
Aug 21 2016, 2:39 PM

Aug 10 2016

xcombelle added a comment to T91928: The Event Organiser's Userright.

As I see, the ip limit removing for saving is not needed as the participant of an event should create an account.

Aug 10 2016, 9:35 PM · MediaWiki-extensions-ThrottleOverride

Apr 22 2016

xcombelle awarded T58362: Allow users to create custom notifications onwiki a Love token.
Apr 22 2016, 4:48 PM · Growth-Team, Collaboration-Team-Triage, StructuredDiscussions, Notifications

Jan 26 2016

xcombelle updated the task description for T124776: ref name with non ascii characters and no quote is incorrectly parsed.
Jan 26 2016, 1:05 PM · MediaWiki-Parser
xcombelle created T124776: ref name with non ascii characters and no quote is incorrectly parsed.
Jan 26 2016, 1:01 PM · MediaWiki-Parser

Jan 16 2016

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

Yes, that used to happen but no longer does AFAIK. See the link I provided.

Jan 16 2016, 2:24 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Dec 19 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

A request to Special:MyPage/ccvhjhdkjvkvkhjhkvkjvdh appears in the pagecounts as a visit to User:Xavier_Combelle/ccvhjhdkjvkvkhjhkvkjvdh

I'm not convinced of the proposed solution. Why downgrade MediaWiki functionality because of an information leak in Wikimedia Foundation infrustructure? I'd rather reverse the burden: we could just stop counting one visit to "User:Xavier_Combelle/ccvhjhdkjvkvkhjhkvkjvdh" and instead add 1 to
"Special:MyPage/ccvhjhdkjvkvkhjhkvkjvdh".
We stopped counting the 302'ing special pages after https://meta.wikimedia.org/wiki/Research_talk:Page_view/Archive_1#Special_namespace_and_actual_problems . It doesn't seem impossible to do the opposite (under some condition):

how would the definition count redirects? Only towards the redirect source, only to the target, both, or some other scheme? --QChris (WMF) (talk) 11:33, 23 October 2014 (UTC)

Dec 19 2015, 1:10 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security
xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

Also, the description of the problem lacks one step: the attacker first needs to create "User:Xavier_Combelle/ccvhjhdkjvkvkhjhkvkjvdh" (presumably by creating such a subpage for all users of a wiki?) because 404 are excluded: https://meta.wikimedia.org/wiki/Research:Page_view#Step_1:_apply_general_filters

Dec 19 2015, 12:59 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 14 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

Well this solution does seem kind of icky due to all the special casing very early in the MW setup process, I will admit its elegant in that

  • Not specific to our setup. Would work with other analytic setups that third parties might use.
  • Does not require extra url parameters that user's could forge, or really long ugly tokens.
  • Would allow us to do something like "redirected from Special:MyPage", although this patch does not do that (or other things like setting rel=canonical link)

I'm starting to think this might be the way to go, since I think this would also prevent the attack on very low traffic wikis where there might only be a handful of visits to User: namespace pages in an hour, so even sending the user to just Special:MyPage could leak that the user was one of small subset of users.

Sep 14 2015, 4:06 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security
xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

My question is when using the X-analytics:dnt=1 header, where does and where does not appear the visit on the different log and stats? To avoid the leak, the only thing it needs is not appear in page counts. It can still appear on all wikimedia logs and stats. So I thought that setting the header would just remove it from page counts and so would not impact other internal stats as the ones needed for "tracking visiting stats of the target of Special:MyLanguage" but maybe I'm wrong.

Oh my bad, I was using page stats and the public page counts as synonyms. I meant just the public page counts (e.g.the stuff on dumps.wikimedia.org , stats.grok.se etc)

Sep 14 2015, 3:28 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 13 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

Do you mean that in the envision setting the visits are not tracked? What I thought is that they will simply not appear in public page counts?

I'm not sure what you mean by this. Currently Special:MyLanguage/foo redirects to foo/en-gb or foo/fr, etc based on a setting in Special:Preferences. This yields a small amount of private info being leaked by the public stats, which could be exploited, but seems like it would be much more difficult to exploit, compared to Special:MyPage.

Sep 13 2015, 8:19 AM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security
xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

For reference, there's also similar issues with

  • Special:MyTalk
  • Special:MyContributions (redirects to Special:Contributions/Username)
  • Special:MyUploads
  • Special:AllMyUploads
Sep 13 2015, 7:50 AM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 11 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.


Simple patch to add dnt=1 into x-analytics for User / User_talk namespace pages that don't exist.
An attacker can still send the user to just Special:MyPage on a wiki where they hope the user has created their userpage, and that might narrow down the user to a set of potential users. But that would only work for very targeted attacks, and I'm not sure if that's in the same category of adding a clearly wrong reference in an article to a site you own, log the IP's referred from the wiki, and then watching which account deletes it on wiki.

Sep 11 2015, 6:03 AM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 10 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

From a MediaWiki code prespective, to do what you're referring to as a "soft redirect", we would have to add a special case to MediaWiki::initializeArticle (or use the InitializeArticleMaybeRedirect hook). It would be much cleaner to just make special:mypage add a url paramter to the page it redirects to, and set mediawiki to add the dnt header on detection of that url parameter (if we're worried about people forging the header, it could be hashed with some secret/time sensitive or something). However, this would look less elegant to the user (And I'm unclear how it would interact with varnish cache. Presumably we would only send the header if the user is logged in, and then that would be less of a concern. There's also the issue about if varnish would override the header that csteipp is talking about, which I have no idea about)

Sep 10 2015, 4:41 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 8 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

@csteipp or somebody else: Could a developer of mediawiki be involved for analysis of my "soft" redirect solution ?

Sep 8 2015, 5:49 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 5 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

@csteipp actually the URL is also replaced in browser history

Sep 5 2015, 8:31 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Sep 4 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

filtering the non existent page could limit the attacking power but not removing it. For example a burst on page view could still be detected

Sep 4 2015, 7:40 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security
xcombelle added a comment to T59154: Flow: Prettify thread permalink URLs/Titles (they are not human readable!).

A possibility would be [[Flow:<some-id>/original-title]] would be the canonical link to a flow discussion, which if the discussion is renamed, would become a permanent redirect to [[Flow:<some-id>/new-title]] it is what http://stackoverflow.com does for questions and I found it handy (modulo the fact here is a lot of more Flow-id than stackoverflow questions)

Sep 4 2015, 7:22 PM · Growth-Team, Patch-For-Review, Collaboration-Team-Triage, StructuredDiscussions

Sep 3 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

If you watch on the request your browser does https://en.wikipedia.org/w/index.php?title=Special:MyPage is redirected to https://en.wikipedia.org/wiki/Special:MyPage witch is redirected to https://en.wikipedia.org/wiki/User:<your_ip_or_your_user_name>

Sep 3 2015, 8:25 AM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Aug 30 2015

xcombelle added a comment to T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.

@Bawolff just tested https://en.wikipedia.org/w/index.php?title=Special:MyPage/ccvhjhdkjvkvkhjhkvkjvdh redirect to https://en.wikipedia.org/wiki/Special:MyPage/ccvhjhdkjvkvkhjhkvkjvdh

Aug 30 2015, 11:29 AM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Aug 27 2015

xcombelle closed T110221: when prefixing domain by http:// in Special:LinkSearch you are redirected to the site in question as Invalid.

Sorry for the noise, it's clearly a browser thing I had got similar behavior with another site.

Aug 27 2015, 8:20 PM · MediaWiki-Special-pages

Aug 26 2015

xcombelle renamed T110221: when prefixing domain by http:// in Special:LinkSearch you are redirected to the site in question from when prefixing domain by http:// in Special:LinkSearch External links search redirect to the site in question to when prefixing domain by http:// in Special:LinkSearch you are redirected to the site in question.
Aug 26 2015, 11:55 AM · MediaWiki-Special-pages
xcombelle renamed T110221: when prefixing domain by http:// in Special:LinkSearch you are redirected to the site in question from when prefixing domain by http:// External links search redirect to the site in question to when prefixing domain by http:// in Special:LinkSearch External links search redirect to the site in question.
Aug 26 2015, 11:54 AM · MediaWiki-Special-pages

Aug 25 2015

xcombelle created T110221: when prefixing domain by http:// in Special:LinkSearch you are redirected to the site in question.
Aug 25 2015, 5:55 PM · MediaWiki-Special-pages

Aug 20 2015

xcombelle renamed T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user from to A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user.
Aug 20 2015, 4:06 PM · Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy, Security

Aug 14 2015

xcombelle added a comment to T109070: Page view statistics looks not updated since 2015-08-13 at 18:00:00.

thanks

Aug 14 2015, 7:04 PM · Analytics
xcombelle created T109070: Page view statistics looks not updated since 2015-08-13 at 18:00:00.
Aug 14 2015, 1:31 PM · Analytics

Aug 9 2015

Restricted Application updated subscribers of T52830: Debug mode causes different rendering of CSS in IE9.

On French wikipédia, still with IE9 there is different behavior on debug mode and on normal mode.
The major problems are the edit button (in wiki mode: "Modifier") doesn't display neither the portal parts nor the categories.
It was described the 7th august on Le Bistro (the French village pump) first in this thread
https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Le_Bistro/7_ao%C3%BBt_2015#Les_portails_et_les_cat.C3.A9gories_n.27apparaissent_plus_.21

Aug 9 2015, 4:27 PM · Performance-Team, MediaWiki-ResourceLoader, Browser-Support-Internet-Explorer